From 834a8fc30fcbb81c5a97b72c598b977a8f87a8c8 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 21 Aug 2007 07:58:55 +0000 Subject: [PATCH] any response validation. git-svn-id: file:///svn/unbound/trunk@535 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 9 ++++-- validator/validator.c | 68 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 74 insertions(+), 3 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 3f2db5acd..325927ee1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,8 +1,13 @@ -18 August 2007: Wouter - - process DNSKEY response in FINDKEY state. +21 August 2007: Wouter + - ANY response validation. + +20 August 2007: Wouter - validate and positive validation, positive wildcard NSEC validation. - nodata validation, nxdomain validation. +18 August 2007: Wouter + - process DNSKEY response in FINDKEY state. + 17 August 2007: Wouter - work on DS2KE routine. - val_nsec.c for validator NSEC proofs. diff --git a/validator/validator.c b/validator/validator.c index d26096938..60de3298f 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -566,12 +566,78 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve, chase_reply->security = sec_status_secure; } -/** validate positive ANY response */ +/** + * Given an "ANY" response -- a response that contains an answer to a + * qtype==ANY question, with answers. This consists of simply verifying all + * present answer/auth RRsets, with no checking that all types are present. + * + * NOTE: it may be possible to get parent-side delegation point records + * here, which won't all be signed. Right now, this routine relies on the + * upstream iterative resolver to not return these responses -- instead + * treating them as referrals. + * + * NOTE: RFC 4035 is silent on this issue, so this may change upon + * clarification. + * + * Note that by the time this method is called, the process of finding the + * trusted DNSKEY rrset that signs this response must already have been + * completed. + * + * @param env: module env for verify. + * @param ve: validator env for verify. + * @param qchase: query that was made. + * @param chase_reply: answer to that query to validate. + * @param key_entry: the key entry, which is trusted, and which matches + * the signer of the answer. The key entry isgood(). + */ static void validate_any_response(struct module_env* env, struct val_env* ve, struct query_info* qchase, struct reply_info* chase_reply, struct key_entry_key* key_entry) { + struct ub_packed_rrset_key* s; + enum sec_status sec; + size_t i; + if(qchase->qtype != LDNS_RR_TYPE_ANY) { + log_err("internal error: ANY validation called for non-ANY"); + chase_reply->security = sec_status_bogus; + return; + } + + /* validate the ANSWER section. */ + for(i=0; ian_numrrsets; i++) { + s = chase_reply->rrsets[i]; + sec = val_verify_rrset_entry(env, ve, s, key_entry); + /* If the (answer) rrset failed to validate, then this + * message is BAD. */ + if(sec != sec_status_secure) { + log_nametypeclass(VERB_ALGO, "ANY response has " + "failed ANSWER rrset: ", s->rk.dname, + ntohs(s->rk.type), ntohs(s->rk.rrset_class)); + chase_reply->security = sec_status_bogus; + return; + } + } + + /* validate the AUTHORITY section as well - this will be the NS rrset + * (which could be missing, no problem) */ + for(i=chase_reply->an_numrrsets; ian_numrrsets+ + chase_reply->ns_numrrsets; i++) { + s = chase_reply->rrsets[i]; + sec = val_verify_rrset_entry(env, ve, s, key_entry); + /* If anything in the authority section fails to be + * secure, we have a bad message. */ + if(sec != sec_status_secure) { + log_nametypeclass(VERB_ALGO, "ANY response has " + "failed AUTHORITY rrset: ", s->rk.dname, + ntohs(s->rk.type), ntohs(s->rk.rrset_class)); + chase_reply->security = sec_status_bogus; + return; + } + } + + verbose(VERB_ALGO, "Successfully validated positive ANY response"); + chase_reply->security = sec_status_secure; } /** -- 2.47.2